Cybersecurity law gives feds new power to protect the grid
Within the $1.1 trillion spending bill signed by President Obama last month is a legal framework for sharing information about digital security threats that upset privacy advocates but which energy industry officials say will help keep the nation’s electric grid safe from cyberattacks.
“While the electric power sector already engages in significant information-sharing, and has in place mandatory and enforceable reliability and cybersecurity standards, taking steps to improve the sharing of actionable security information between the government and industry is vital to protecting the electric grid from all possible threats,” Edison Electric Institute President Tom Kuhn said in a statement after the legislation was passed.
The new law, known as the Cybersecurity Act of 2015, grants legal protection to private companies and government agencies sharing what they know about digital security risks and potential attacks. Under the law, companies are exempt from antitrust scrutiny and other forms of liability for working together to share threat information.
The law’s passage comes at a time of increased attention to potential cyber vulnerabilities in the electric grid. An electrical outage last month in Ukraine is said to be the first attributable to a digital attack, which that country’s security authorities have reportedly blamed on Russia. And in the United States, the Associated Press, citing anonymous sources, reported late last month that foreign hackers have apparently penetrated utility operational networks about a dozen times within the past decade.
National Security Agency Director Adm. Michael Rogers told lawmakers last year that China and “one or two” other countries are capable of such digital attacks. Iran also is suspected of being in that camp.
Organizations in the electric power sector have been sharing security information even before passage of the cybersecurity act, said Scott Aaronson, EEI’s senior director of national security policy.
“A lot of what this legislation clarifies – not all – but a lot of what this legislation clarifies is already happening between the government and the industry when it comes to cyberthreat indicators,” he said.
Those indicators can be anything from vulnerabilities in commonly used software to evidence of ongoing attacks or infections by malicious software, he said.
“It is malware, it is threat signatures, it is bad [Internet protocol] addresses, it is vulnerability information, and it is forensics on known attacks,” said Aaronson. “It runs the whole gamut and sort of speaks to the necessity of sharing information – there is a lot of it.”